CVE-2019-2066

Vulnerability

A missing bounds check in libxaac, the Android AAC audio codec library, allows an out-of-bounds write. This vulnerability affects Android 10 (security patch level 2019-09-01 and earlier) and is identified by Android ID A-117100617. An attacker can trigger the flaw via a specially crafted audio file processed by the library.

Exploitation

The attacker requires no privileges beyond user interaction. The victim must open a malicious audio file (e.g., through a media player or messaging app) that passes the file to the affected libxaac decoder. The missing bounds check enables a write beyond the allocated buffer during decoding.

Impact

Successful exploitation results in remote code execution (RCE) in the context of the affected process, typically the media server or the application processing the audio. This can lead to full compromise of the device's sensitive data and functionality.

Mitigation

The fix was released as part of Android 10 (security patch level 2019-09-01) on August 20, 2019 [1]. Users should update to Android 10 or apply the September 2019 security patch. Devices with a patch level of 2019-09-01 or later are protected. No other workarounds are documented in the available references.